Add migration from user www-data to http

6 files changed, 131 insertions, 31 deletions

diff --git a/.SRCINFO b/.SRCINFO
index b74e0ba09545..79e525163e72 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,9 +1,9 @@
 # Generated by mksrcinfo v8
-# Thu Sep 29 12:04:13 UTC 2016
+# Thu Sep 29 14:59:33 UTC 2016
 pkgbase = caddy-full-bin
 	pkgdesc = A configurable, general-purpose HTTP/2 web server for any platform (All features enabled)
 	pkgver = 0.9.3
-	pkgrel = 2
+	pkgrel = 4
 	url = https://caddyserver.com
 	install = caddy-full-bin.install
 	arch = i686
@@ -11,8 +11,8 @@ pkgbase = caddy-full-bin
 	arch = armv7h
 	arch = aarch64
 	license = Apache
+	makedepends = patch
 	depends = systemd>=229
-	depends = patch
 	provides = caddy
 	conflicts = caddy
 	conflicts = caddy-git
@@ -20,19 +20,19 @@ pkgbase = caddy-full-bin
 	source_i686 = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=386
 	source_i686 = caddy-systemd-service.patch
 	md5sums_i686 = SKIP
-	md5sums_i686 = 61c39378589e5c59314e7a157fbf9a53
+	md5sums_i686 = bb3b2b3e58fe090a298e3d20b6f2597b
 	source_x86_64 = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=amd64
 	source_x86_64 = caddy-systemd-service.patch
 	md5sums_x86_64 = SKIP
-	md5sums_x86_64 = 61c39378589e5c59314e7a157fbf9a53
+	md5sums_x86_64 = bb3b2b3e58fe090a298e3d20b6f2597b
 	source_armv7h = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=arm
 	source_armv7h = caddy-systemd-service.patch
 	md5sums_armv7h = SKIP
-	md5sums_armv7h = 61c39378589e5c59314e7a157fbf9a53
+	md5sums_armv7h = bb3b2b3e58fe090a298e3d20b6f2597b
 	source_aarch64 = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=arm64
 	source_aarch64 = caddy-systemd-service.patch
 	md5sums_aarch64 = SKIP
-	md5sums_aarch64 = 61c39378589e5c59314e7a157fbf9a53
+	md5sums_aarch64 = bb3b2b3e58fe090a298e3d20b6f2597b
 
 pkgname = caddy-full-bin
 
diff --git a/PKGBUILD b/PKGBUILD
index 64af4fe6dd57..88350514945a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -9,7 +9,7 @@ _features=('awslambda' 'cors' 'filemanager' 'git' 'hugo' 'ipfilter' 'jwt' 'local
 pkgname=caddy-full-bin
 _realname=caddy
 pkgver=0.9.3
-pkgrel=3
+pkgrel=4
 pkgdesc="A configurable, general-purpose HTTP/2 web server for any platform (All features enabled)"
 arch=('i686' 'x86_64' 'armv7h' 'aarch64')
 url="https://caddyserver.com"
@@ -19,13 +19,13 @@ conflicts=('caddy' 'caddy-git' 'caddy-all-features')
 depends=('systemd>=229')
 makedepends=('patch')
 md5sums_i686=('SKIP'
-              '61c39378589e5c59314e7a157fbf9a53')
+              'bb3b2b3e58fe090a298e3d20b6f2597b')
 md5sums_x86_64=('SKIP'
-                '61c39378589e5c59314e7a157fbf9a53')
+                'bb3b2b3e58fe090a298e3d20b6f2597b')
 md5sums_armv7h=('SKIP'
-                '61c39378589e5c59314e7a157fbf9a53')
+                'bb3b2b3e58fe090a298e3d20b6f2597b')
 md5sums_aarch64=('SKIP'
-                 '61c39378589e5c59314e7a157fbf9a53')
+                 'bb3b2b3e58fe090a298e3d20b6f2597b')
 install='caddy-full-bin.install'
 
 # expand the feature array
@@ -40,11 +40,11 @@ source_armv7h=("caddy.tar.gz::${_url_prefix}&arch=arm" "caddy-systemd-service.pa
 source_aarch64=("caddy.tar.gz::${_url_prefix}&arch=arm64" "caddy-systemd-service.patch")
 
 prepare() {
-  patch -p0 -i caddy-systemd-service.patch
+  msg2 "Patching systemd service file"
+  patch -Np1 -i "$srcdir/caddy-systemd-service.patch" "${srcdir}/init/linux-systemd/caddy.service"
 }
 
 package() {
-  echo "Migration guide for caddy <0.9: https://github.com/klingtnet/caddy-AUR/blob/master/README.md"
   install -Dm755 "${srcdir}/caddy" "${pkgdir}/usr/bin/caddy"
   install -Dm644 "${srcdir}/init/linux-systemd/caddy.service" "${pkgdir}/usr/lib/systemd/system/caddy.service"
   install -Dm644 "${srcdir}/init/linux-systemd/README.md" "${pkgdir}/usr/share/doc/${_realname}/service.txt"
diff --git a/caddy-full-bin.install b/caddy-full-bin.install
index 67f7a9567412..abafe456684f 100644
--- a/caddy-full-bin.install
+++ b/caddy-full-bin.install
@@ -1,6 +1,5 @@
 post_install() {
-    getent passwd www-data || useradd --system --shell /usr/bin/nologin www-data
-    mkdir -p /etc/ssl/caddy && chown -R www-data:www-data /etc/ssl/caddy
+    mkdir -p /etc/ssl/caddy && chown -R http:http /etc/ssl/caddy
 }
 
 pre_upgrade() {
@@ -9,6 +8,16 @@ pre_upgrade() {
 
 post_upgrade() {
     systemctl daemon-reload
+    if [ $(vercmp $2 0.9.3-4) -lt 0 ]; then
+        userdel -r -f www-data
+	groupdel www-data
+        
+        chown -R http:http /etc/ssl/caddy
+	
+	echo "Migration guide for caddy <0.9: https://github.com/klingtnet/caddy-AUR/blob/master/README.md"
+        echo "With the package level 0.9.3-4 the caddy user is changed from 'www-data' to 'http'."
+        echo "You need to update the right for your caddy web directory with 'chown -R http:http <web-root>'"
+    fi
 }
 
 pre_remove() {
diff --git a/caddy-systemd-service.patch b/caddy-systemd-service.patch
index 779703c9247d..3f85f13f9988 100644
--- a/caddy-systemd-service.patch
+++ b/caddy-systemd-service.patch
@@ -1,15 +1,14 @@
---- init/linux-systemd/caddy.service	2016-09-28 21:07:57.000000000 +0200
-+++ init/linux-systemd/caddy.service.patched	2016-09-29 13:51:35.533691718 +0200
-@@ -38,9 +38,9 @@
- ; The following additional security directives only work with systemd v229 or later.
- ; They further retrict privileges that can be gained by caddy. Uncomment if you like.
- ; Note that you may have to add capabilities required by any plugins in use.
--;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
--;AmbientCapabilities=CAP_NET_BIND_SERVICE
--;NoNewPrivileges=true
-+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-+AmbientCapabilities=CAP_NET_BIND_SERVICE
-+NoNewPrivileges=true
- 
- [Install]
- WantedBy=multi-user.target
+11,12c11,12
+< User=www-data
+< Group=www-data
+---
+> User=http
+> Group=http
+41,43c41,43
+< ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+< ;AmbientCapabilities=CAP_NET_BIND_SERVICE
+< ;NoNewPrivileges=true
+---
+> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+> AmbientCapabilities=CAP_NET_BIND_SERVICE
+> NoNewPrivileges=true
diff --git a/caddy_new.service b/caddy_new.service
new file mode 100644
index 000000000000..9b840276c8c3
--- /dev/null
+++ b/caddy_new.service
@@ -0,0 +1,46 @@
+[Unit]
+Description=Caddy HTTP/2 web server
+Documentation=https://caddyserver.com/docs
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-failure
+
+; User and group the process will run as.
+User=http
+Group=http
+
+; Letsencrypt-issued certificates will be written to this directory.
+Environment=HOME=/etc/ssl/caddy
+
+; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
+ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+; Unmodified caddy is not expected to use more than that.
+LimitNPROC=64
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp=true
+; Use a minimal /dev
+PrivateDevices=true
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/etc/ssl/caddy
+
+; The following additional security directives only work with systemd v229 or later.
+; They further retrict privileges that can be gained by caddy. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/caddy_old.service b/caddy_old.service
new file mode 100644
index 000000000000..536cb3a192f5
--- /dev/null
+++ b/caddy_old.service
@@ -0,0 +1,46 @@
+[Unit]
+Description=Caddy HTTP/2 web server
+Documentation=https://caddyserver.com/docs
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-failure
+
+; User and group the process will run as.
+User=www-data
+Group=www-data
+
+; Letsencrypt-issued certificates will be written to this directory.
+Environment=HOME=/etc/ssl/caddy
+
+; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
+ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+; Unmodified caddy is not expected to use more than that.
+LimitNPROC=64
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp=true
+; Use a minimal /dev
+PrivateDevices=true
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/etc/ssl/caddy
+
+; The following additional security directives only work with systemd v229 or later.
+; They further retrict privileges that can be gained by caddy. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+;AmbientCapabilities=CAP_NET_BIND_SERVICE
+;NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target